Skip to content

AND-14996 Fix script injection in build_webrtc workflow (GVMT-878)#9

Merged
manasprasher-eco merged 4 commits into
mainfrom
manas/feature/AND-14996-workflow-injection-fix
Jun 25, 2026
Merged

AND-14996 Fix script injection in build_webrtc workflow (GVMT-878)#9
manasprasher-eco merged 4 commits into
mainfrom
manas/feature/AND-14996-workflow-injection-fix

Conversation

@manasprasher-eco

@manasprasher-eco manasprasher-eco commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes GVMT-878 (CVSS 8.8) — workflow_dispatch inputs (`branch_number`, `milestone`) were interpolated directly into shell `run:` blocks via `${{ }}`, allowing RCE on the runner for anyone with `actions: write`.

Sites flagged in the H1 report: L49, L54, L63–L64.

  • L49, L54 (shell injection): moved to env-var pattern (43783c9) and step-output pattern for downstream sinks (239fa47 includes the fixup).
  • L63–L64 (path traversal in artifact upload): blocked by numeric input validation (239fa47) running first; `with:` parameters now consume validated step outputs, not raw inputs.
  • Token scope reduction: workflow-level `permissions: contents: write` only (2a35281).
  • Supply-chain hardening: all third-party actions pinned to commit SHAs with version comments for Dependabot (49141ee).

Verified with two workflow_dispatch runs against this branch:

  • Malicious input (branch_number="5790; echo PWNED") → fails at Validate inputs in 5s (run).
  • Clean input (branch_number=7632, milestone=145) → all touched steps green in 1h5m, release steps correctly skipped on feature branch (run).

GVMT-878: ${{ inputs.* }} interpolation directly into shell run:
blocks allowed RCE on the runner. Pass branch_number / milestone
through env: and reference as quoted shell variables so the values
are treated as strings, not code.
GVMT-878 hardening: assert branch_number and milestone are numeric
before any clone/build/release runs. Defense in depth on top of the
env-var fix.
GVMT-878 hardening: declare minimum permissions at workflow level.
The release step needs contents:write; everything else defaults to
none. Limits damage if a future injection leaks the token.
GVMT-878 hardening: replace mutable tag refs with immutable SHAs
to prevent tag-hijack supply-chain attacks. Versions in trailing
comments for readability and Dependabot.
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@manasprasher-eco manasprasher-eco marked this pull request as ready for review June 23, 2026 14:22
@manasprasher-eco

Copy link
Copy Markdown
Contributor Author

Waiting on the actual reporter to review this PR

@manasprasher-eco

Copy link
Copy Markdown
Contributor Author

Got confirmation from the reporter that the fix works

@manasprasher-eco manasprasher-eco merged commit d9ab53f into main Jun 25, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants